tor-browser

early-hints-helpers.sub.js (7094B)

---

"use strict";

const SAME_ORIGIN = "https://{{host}}:{{ports[h2][0]}}";
const CROSS_ORIGIN = "https://{{hosts[alt][www]}}:{{ports[h2][0]}}";

const RESOURCES_PATH = "/loading/early-hints/resources";
const SAME_ORIGIN_RESOURCES_URL = SAME_ORIGIN + RESOURCES_PATH;
const CROSS_ORIGIN_RESOURCES_URL = CROSS_ORIGIN + RESOURCES_PATH;

/**
* Navigate to a test page with an Early Hints response.
*
* @typedef {Object} Preload
* @property {string} url - A URL to preload. Note: This is relative to the
*     `test_url` parameter of `navigateToTestWithEarlyHints()`.
* @property {string} as_attr - `as` attribute of this preload.
* @property {string} [crossorigin_attr] - `crossorigin` attribute of this
*     preload.
* @property {string} [fetchpriority_attr] - `fetchpriority` attribute of this
*     preload.
*
* @param {string} test_url - URL of a test after the Early Hints response.
* @param {Array<Preload>} preloads  - Preloads included in the Early Hints response.
* @param {bool} exclude_preloads_from_ok_response - Whether to exclude the preloads from the 200 OK reponse.
*/
function navigateToTestWithEarlyHints(test_url, preloads, exclude_preloads_from_ok_response) {
   const params = new URLSearchParams();
   params.set("test_url", test_url);
   params.set("exclude_preloads_from_ok_response",
              (!!exclude_preloads_from_ok_response).toString());
   for (const preload of preloads) {
       params.append("preloads", JSON.stringify(preload));
   }
   const url = RESOURCES_PATH +"/early-hints-test-loader.h2.py?" + params.toString();
   window.location.replace(new URL(url, window.location));
}

/**
* Parses the query string of the current window location and returns preloads
* in the Early Hints response sent via `navigateToTestWithEarlyHints()`.
*
* @returns {Array<Preload>}
*/
function getPreloadsFromSearchParams() {
   const params = new URLSearchParams(window.location.search);
   const encoded_preloads = params.getAll("preloads");
   const preloads = [];
   for (const encoded of encoded_preloads) {
       preloads.push(JSON.parse(encoded));
   }
   return preloads;
}

/**
* Fetches a script or an image.
*
* @param {string} element - "script" or "img".
* @param {string} url - URL of the resource.
*/
async function fetchResource(element, url) {
   return new Promise((resolve, reject) => {
       const el = document.createElement(element);
       el.src = url;
       el.onload = resolve;
       el.onerror = _ => reject(new Error("Failed to fetch resource: " + url));
       document.body.appendChild(el);
   });
}

/**
* Fetches a script.
*
* @param {string} url
*/
async function fetchScript(url) {
   return fetchResource("script", url);
}

/**
* Fetches an image.
*
* @param {string} url
*/
async function fetchImage(url) {
   return fetchResource("img", url);
}

/**
* Returns true when the resource is preloaded via Early Hints.
*
* @param {string} url
* @returns {boolean}
*/
function isPreloadedByEarlyHints(url) {
   const entries = performance.getEntriesByName(url);
   if (entries.length === 0) {
       return false;
   }
   assert_equals(entries.length, 1);
   return entries[0].initiatorType === "early-hints";
}

/**
* Navigate to the referrer policy test page.
*
* @param {string} referrer_policy - A value of Referrer-Policy to test.
*/
function testReferrerPolicy(referrer_policy) {
   const params = new URLSearchParams();
   params.set("referrer-policy", referrer_policy);
   const same_origin_preload_url = SAME_ORIGIN_RESOURCES_URL + "/fetch-and-record-js.h2.py?id=" + token();
   params.set("same-origin-preload-url", same_origin_preload_url);
   const cross_origin_preload_url = CROSS_ORIGIN_RESOURCES_URL + "/fetch-and-record-js.h2.py?id=" + token();
   params.set("cross-origin-preload-url", cross_origin_preload_url);

   const path = "resources/referrer-policy-test-loader.h2.py?" + params.toString();
   const url = new URL(path, window.location);
   window.location.replace(url);
}

/**
* Navigate to the content security policy basic test. The test page sends an
* Early Hints response with a cross origin resource preload. CSP headers are
* configured based on the given policies. A policy should be one of the
* followings:
*   "absent" - Do not send Content-Security-Policy header
*   "allowed" - Set Content-Security-Policy to allow the cross origin preload
*   "disallowed" - Set Content-Security-Policy to disallow the cross origin  preload
*
* @param {string} early_hints_policy - The policy for the Early Hints response
* @param {string} final_policy - The policy for the final response
*/
function navigateToContentSecurityPolicyBasicTest(
   early_hints_policy, final_policy) {
   const params = new URLSearchParams();
   params.set("resource-origin", CROSS_ORIGIN);
   params.set("resource-url",
       CROSS_ORIGIN_RESOURCES_URL + "/empty.js?" + token());
   params.set("early-hints-policy", early_hints_policy);
   params.set("final-policy", final_policy);

   const url = "resources/csp-basic-loader.h2.py?" + params.toString();
   window.location.replace(new URL(url, window.location));
}

/**
* Navigate to a test page which sends an Early Hints containing a cross origin
* preload link with/without Content-Security-Policy header. The CSP header is
* configured based on the given policy. The test page disallows the preload
* while the preload is in-flight. The policy should be one of the followings:
*   "absent" - Do not send Content-Security-Policy header
*   "allowed" - Set Content-Security-Policy to allow the cross origin preload
*
* @param {string} early_hints_policy
*/
function navigateToContentSecurityPolicyDocumentDisallowTest(early_hints_policy) {
   const resource_id = token();
   const params = new URLSearchParams();
   params.set("resource-origin", CROSS_ORIGIN);
   params.set("resource-url",
       CROSS_ORIGIN_RESOURCES_URL + "/delayed-js.h2.py?id=" + resource_id);
   params.set("resume-url",
       CROSS_ORIGIN_RESOURCES_URL + "/resume-delayed-js.h2.py?id=" + resource_id);
   params.set("early-hints-policy", early_hints_policy);

   const url = "resources/csp-document-disallow-loader.h2.py?" + params.toString();
   window.location.replace(new URL(url, window.location));
}

/**
* Navigate to a test page which sends different Cross-Origin-Embedder-Policy
* values in an Early Hints response and the final response.
*
* @param {string} early_hints_policy - The policy for the Early Hints response
* @param {string} final_policy - The policy for the final response
*/
function navigateToCrossOriginEmbedderPolicyMismatchTest(
   early_hints_policy, final_policy) {
   const params = new URLSearchParams();
   params.set("resource-url",
       CROSS_ORIGIN_RESOURCES_URL + "/empty-corp-absent.js?" + token());
   params.set("early-hints-policy", early_hints_policy);
   params.set("final-policy", final_policy);

   const url = "resources/coep-mismatch.h2.py?" + params.toString();
   window.location.replace(new URL(url, window.location));
}